A `` panic button '' distributed by the Colombian government to high-risk activists and journalists has a number of security flaws , at least one of which is by design , a security firm reported Vulnerability-related.DiscoverVulnerability . Rapid7 investigated the Eview EV-07S GPS tracker at the behest of The Associated Press . The site lists main applications of the EV-07S as elderly care , disabled and patient care , child protection , employee management , and pet and animal tracking . `` I would n't be worried about giving this to my grandma . But I would be more concerned giving it to anyone who might be at risk , '' said Deral Heiland , internet of things research lead at Rapid7 . The group found Vulnerability-related.DiscoverVulnerability another six vulnerabilities not listed in the manual . Those include a web portal for the device that allows anyone ( even people without passwords ) to access GPS coordinates of any device . Anyone who logs into an account on the site has access Attack.Databreach to other information from all accounts , including phone numbers and device configurations . The device also transmits data in `` clear , '' unencrypted text , allowing anyone to tamper or alter information in transit . Rapid7 spoke with the manufacturer in December to relay its findings . Eview has not informed Rapid7 of any intention to repair the security flaws . `` We thought we had a responsibility to alert Vulnerability-related.DiscoverVulnerability users that these vulnerabilities exist , '' said Heiland .

Discovered Vulnerability-related.DiscoverVulnerability by a security researcher who goes by the name of Zenofex , these security flaws have not been reported Vulnerability-related.DiscoverVulnerability to Western Digital , are still unpatched Vulnerability-related.PatchVulnerability , and with public exploit code is available for more than half of the vulnerabilities . According to Zenofex multiple WD MyCloud NAS device models are affected Vulnerability-related.DiscoverVulnerability , such as : Zenofex 's decision not to inform Vulnerability-related.DiscoverVulnerability Western Digital came after the researcher attended a security conference last year , where other infosec professionals complained about Western Digital ignoring vulnerability reports Vulnerability-related.DiscoverVulnerability . It was at the same conference , Black Hat USA 2016 , where Western Digital also won a Pwnie Award in a category called `` Lamest Vendor Response . '' `` Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure Vulnerability-related.DiscoverVulnerability is worked out , '' Zenofex argued his decision not to wait until Western Digital patches Vulnerability-related.DiscoverVulnerability the security bugs . `` Instead we ’ re attempting to alert Vulnerability-related.DiscoverVulnerability the community of the flaws and hoping that users remove their devices from any public facing portions of their networks , limiting access wherever possible , '' he added . Zenofex , who 's a member of the Exploitee.rs community , says he found Vulnerability-related.DiscoverVulnerability a whopping total of 85 security issues . Based on the exploit code , many of these security flaws can be exploited Vulnerability-related.DiscoverVulnerability by altering cookie values or embedding shell commands in cookie parameters . When the image loads inside their browser , the exploit code executes against the local NAS drive and takes over the device . The most severe of these issues , according to Zenofex , is authentication bypass issue , which ironically was also the easiest to exploit , requiring only the modification of cookie session parameters . And since Murphy 's Law applies to hardware devices as well , things went wrong all the way , and the commands are n't executed under a limited user , but run under root , giving attackers full control over affected devices , allowing them to upload or download data at will .

Western Digital My Cloud NAS devices have again been found Vulnerability-related.DiscoverVulnerability wanting in the security department , as two set of researchers have revealed Vulnerability-related.DiscoverVulnerability a number of serious flaws in the devices ’ firmware . WD My Cloud is meant to be a private cloud environment hosted at home or at a small organization ’ s office , and can be accessed either from a desktop located on the same network or remotely , with a smartphone , from wherever else in the world . Users can interact with it either via the administrative user interface or an application ( that uses a RESTful API ) . Zenofex , a member of the Exploitee.rs team , revealed Vulnerability-related.DiscoverVulnerability the existence of a login bypass issue , several command injection flaws , and a number of other bugs on Saturday . Then , on Tuesday , researchers with the SEC Consult Vulnerability Lab published a security advisory warning about : “ Due to [ no anti-CSRF mechanisms ] , an attacker can force a user to execute any action through any script . As the [ OS command injection and unauthenticated arbitrary file upload vulnerabilities ] do not need authentication , those can be exploited Vulnerability-related.DiscoverVulnerability via CSRF over the Internet as well ! ” , the researchers noted . SEC consult found Vulnerability-related.DiscoverVulnerability the flaws in version 2.11.157 of the firmware on a My Cloud EX2 device , but they believe that other My Cloud devices are almost surely vulnerable Vulnerability-related.DiscoverVulnerability as well , as the same ( or pretty much the same ) firmware is used on all of them . Zenofex did his testing on a My Cloud PR4100 device , but also noted that other My Cloud devices are vulnerable Vulnerability-related.DiscoverVulnerability to the same issues . In the wake of these latest revelations , Securify researchers again pointed to their own research and security advisories from January 2017 dealing with the same or similar vulnerabilities , found Vulnerability-related.DiscoverVulnerability on versions 2.21.119 and 2.21.126 of the firmware . All three groups say that the issues have yet to be fixed Vulnerability-related.PatchVulnerability by Western Digital . SEC Consult researchers complained about the company slow reaction to their responsable disclosure Vulnerability-related.DiscoverVulnerability efforts , while Zenofex noted that the company ’ s dismal reputation when it comes to patching Vulnerability-related.PatchVulnerability reported issues . So , he opted for public disclosure Vulnerability-related.DiscoverVulnerability , in the hopes that this will push the company to pick up the pace . “ Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure Vulnerability-related.DiscoverVulnerability is worked out . Instead we ’ re attempting to alert Vulnerability-related.DiscoverVulnerability the community of the flaws and hoping that users remove their devices from any public facing portions of their networks , limiting access wherever possible , ” he noted .